Collaborate Disseminate
From official ASP.NET Core docs, namely Routing in ASP.NET Core ยง URL generation concepts:
Use GetUri* extension methods with caution in an app configuration that doesn’t validate the Host header of incoming requests. If the Host header o… Continue reading To what attacks is using the value of the HOST header to craft self-referential URLs vulnerable?
Another question inspired by a recent discussion in the ‘The DMZ’ chatroom.
Long story short: IT guys are worried that accountants’ workstations may become compromised because accountants watch cat meme websites. Proposed solution: Lock do… Continue reading Realistically, how likely it is to have a computer compromised from browsing random websites?
Another question inspired by a recent discussion in the ‘The DMZ’ chatroom.
Long story short: IT guys are worried that accountants’ workstations may become compromised because accountants watch cat meme websites. Proposed solution: Lock do… Continue reading Realistically, how likely it is to have a computer compromised from browsing random websites?
If someone uses the administrator Windows account for everyday work while having the default UAC settings they will be prompted by UAC whenever an application other than certain predefined system apps requires elevated permissions. From th… Continue reading How is using the standard Windows account more secure than using the administrator Windows account with highest UAC settings?
Websites that host downloadable executables often provide measures to confirm the integrity of the data that is available to download. Such measures include:
Hosting the website under HTTPS;
Providing the SHA-256 sum of the downloaded bin… Continue reading How does validating the PGP signature of a downloaded executable against the publisher’s public key show that the binary has not been tampered with?
I read this: How strict should I be in rejecting unexpected query parameters?
Answer: No, do not error out on unexpected query string parameters.
But I just got a requirement from our security guy that I must do so. Not only for unexpected… Continue reading How strict should I be in rejecting unexpected HTTP request parameters redux?
I read this: How strict should I be in rejecting unexpected query parameters?
Answer: No, do not error out on unexpected query string parameters.
But I just got a requirement from our security guy that I must do so. Not only for unexpected… Continue reading How strict should I be in rejecting unexpected HTTP request parameters redux?
Yes, I did read this answer: https://apple.stackexchange.com/questions/192365/is-it-ok-to-use-the-root-user-as-a-normal-user/192422#192422
But I still fail to understand the reasoning behind this advice, as long as we are talking about a s… Continue reading Why is it not recommended to permanently use the root account for all tasks?
I lived under impression that timely updates were very important. Even a home user wouldn’t like their computer to demand ransom for their data. However, the less home and the more corporate our setting is, security only becomes more, not … Continue reading Do corporate systems need to be updated immediately after updates are available? [duplicate]
I’m talking about a class of old mobile phones that are not smartphones but are still (theoretically) Internet-capable, at least via 3G. Examples of such phones include Series 40 Nokia phones or the
Samsung phone featured in Spectre (OK th… Continue reading What is the risk of compromise of an old, Internet-capable phone not used for browsing? (not smartphone)